Police anti-ransomware warning is hotlinked to 'ransomware.pdf'
This (probably) isn't a spear phishing attack but we were too afraid to verify
Official anti-ransomware advice issued by UK police to businesses can only be read by clicking on a link titled "Ransomware" which leads direct to a file helpfully named "Ransomware.pdf".
In case you've been living under a rock, large chunks of the digitised world, including most of the NHS, were, ahem, digitally disrupted by the WannaCrypt ransomware last week.
A total of 74 countries were hit by the self-spreading cryptoware, which attempted to extort users into paying $300 in Bitcoin.
How did the Metropolitan and City of London police forces' business outreach tentacle deal with the WannaCrypt outbreak, then? This morning, a full four days after the malware had both spread and been contained, it issued an email alert – which, as well as being late, managed to look uncannily like a sketch from a "how not to do it" cartoon.
"Following the ransomware cyber attack on Friday 12 May which affected the NHS and is believed to have affected other organisations globally, the City of London Police's National Fraud Intelligence Bureau has issued an alert urging both individuals and businesses to follow protection advice immediately and in the coming days," it said. Standard stuff.
As you can see, we clicked the link – and after routing through some standard email marketing click tracker stuff, it hotlinks to a file titled "Ransomware.pdf". We chose not to let it open in our VM.
Meanwhile, this is Apple's security advice (many, many other sources are available) on email attachments:
Always use caution when opening (such as by double-clicking) files that come from someone you do not know, or if you were not expecting them. This includes email attachments, instant messaging file transfers, and other files you may have downloaded from the Internet. Any time that you download from a source that has not previously earned your trust, you should take extra precautions. This is because a downloaded file might have a name or icon that makes it appear to be a document or media file (such as a PDF, MP3, or JPEG), when it is actually a malicious application. A malicious application disguised in this manner is known as a "Trojan".
The message and link were sent by a Met copper working for OWL, Online Watch Link. This is a police initiative which we are told "keeps communities safe, helps reduce crime and keeps people informed of what's going on locally".
Presumably local issues don't include cybersecurity. Actual anti-malware guidance written by state actors who generally know what they're doing can be found on the National Cyber Security Centre website. ®